[elrepo-devel] How to avoid the "tainting kernel" message?

Thu Feb 25 02:35:59 EST 2016

Hi Akemi,

This is my results -
$ grep "(" /proc/modules
i915 1344032 4 - Live 0xffffffffa01c9000 (OE)
drm_ukmd_kms_helper 141060 1 i915, Live 0xffffffffa016f000 (OE)
drm_ukmd 369649 3 i915,drm_ukmd_kms_helper, Live 0xffffffffa00b7000 (OE)
drm_ukmd_compat 109279 1 i915, Live 0xffffffffa0019000 (OE)
drm 354356 3 drm_ukmd, Live 0xffffffffa0036000 (OE)

So it seems only because of sign problem, am I right?
In panic.c
*  'O' - Out-of-tree module has been loaded.
*  'E' - Unsigned module has been loaded.

And -
$ cat /proc/sys/kernel/tainted
12288

I don’t know what this number means.

Thanks for your help!

BR
Oliver

From: elrepo-devel-bounces at lists.elrepo.org [mailto:elrepo-devel-bounces at lists.elrepo.org] On Behalf Of Akemi Yagi
Sent: Wednesday, February 24, 2016 3:14 AM
To: EL Repo Developer Mailing List
Subject: Re: [elrepo-devel] How to avoid the "tainting kernel" message?

Hi Oliver,

Also, I still would like to see the output from:

grep "(" /proc/modules
Akemi

On Tue, Feb 23, 2016 at 10:25 AM, Akemi Yagi <amyagi at gmail.com<mailto:amyagi at gmail.com>> wrote:
Hi Oliver,
Could you run the following command and let me know the number it returns? It should give us some info as to what is tainting your kernel.

cat /proc/sys/kernel/tainted
Akemi

On Mon, Feb 22, 2016 at 11:43 PM, Sang, Oliver <oliver.sang at intel.com<mailto:oliver.sang at intel.com>> wrote:
Thanks Akemi!

I just used GPL. I think the reason my kmod tainting kernel is that I haven’t sign the kmd.
Ideally, if I could use the key which centos used when they build their kernel for centos7.2, the kmd wouldn’t taint kernel any longer. But it seems centos won’t give me that key ☺

As I said, after checking several kmod packages from http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/ , I found these kmod are signed with the key which seems for Secure Boot.
Anyone know about how to do this sign?

I found some stuff related with sign in spec file -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# Sign the modules(s)
%if %{?_with_modsign:1}%{!?_with_modsign:0}
# If the module signing keys are not defined, define them here.
%{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}
%{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}
for module in $(find %{buildroot} -type f -name \*.ko);
do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
sha256 %{privkey} %{pubkey} $module;
done
%endif
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

But I don’t know how to get these secure-boot key. Anyone can help? Thanks a lot!

BR
Oliver

From: elrepo-devel-bounces at lists.elrepo.org<mailto:elrepo-devel-bounces at lists.elrepo.org> [mailto:elrepo-devel-bounces at lists.elrepo.org<mailto:elrepo-devel-bounces at lists.elrepo.org>] On Behalf Of Akemi Yagi
Sent: Thursday, February 18, 2016 2:08 AM
To: EL Repo Developer Mailing List
Subject: Re: [elrepo-devel] How to avoid the "tainting kernel" message?

On Wed, Feb 17, 2016 at 12:32 AM, Sang, Oliver <oliver.sang at intel.com<mailto:oliver.sang at intel.com>> wrote:
Hello,

I build local kmod for centos7.2. After installation, dmesg says -
module verification failed: signature and/or required key missing - tainting kernel

I checked several kmod packages from http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/
It seems the kmd within them are signed -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
The ELRepo Project (http://elrepo.org): ELRepo.org Secure Boot Key
*&c[
H#A,
vrPR
OCv+bU
P#Rmwf
)ZJ#U
~Module signature appended~
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
But this key seems be for Secure Boot, so the kmd itself should still taint the kernel, am I right?

Is there a way to avoid the dmesg complaint? Thanks

BR
Oliver

If your kmod taints the kernel, then there can be several possible causes. The most likely reason is a license. If you use a non-GPL license, that will taint the kernel. Please check your package with :

rpm -qip <your.rpm>
Another way to get more clue is to run this command:

grep "(" /proc/modules
It will show a letter that tells you the reason for the taint. For example, on a system running ELRepo's Nvidia driver, I see:

nvidia 8356269 32 - Live 0x0000000000000000 (P)
The letter P indicates "a module with a non-GPL license has been loaded".
Akemi

_______________________________________________
elrepo-devel mailing list
elrepo-devel at lists.elrepo.org<mailto:elrepo-devel at lists.elrepo.org>
http://lists.elrepo.org/mailman/listinfo/elrepo-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo-devel/attachments/20160225/cab33cad/attachment-0001.html>